)]}'
{
  "commit": "b752fda5f686c995a03732a2d3f6624d476abeca",
  "tree": "4e115ff80f45dafb5a362f9cf5b237634fbe6dcb",
  "parents": [
    "3fe2f55cc60f62fc64cc691c4de055226937845e"
  ],
  "author": {
    "name": "Tatsuhiko Yasumatsu",
    "email": "th.yasumatsu@gmail.com",
    "time": "Thu Sep 30 22:55:45 2021 +0900"
  },
  "committer": {
    "name": "Meena Shanmugam",
    "email": "meenashanmugam@google.com",
    "time": "Sat Oct 16 03:22:34 2021 +0000"
  },
  "message": "bpf: Fix integer overflow in prealloc_elems_and_freelist()\n\n[ Upstream commit 30e29a9a2bc6a4888335a6ede968b75cd329657a ]\n\nIn prealloc_elems_and_freelist(), the multiplication to calculate the\nsize passed to bpf_map_area_alloc() could lead to an integer overflow.\nAs a result, out-of-bounds write could occur in pcpu_freelist_populate()\nas reported by KASAN:\n\n[...]\n[   16.968613] BUG: KASAN: slab-out-of-bounds in pcpu_freelist_populate+0xd9/0x100\n[   16.969408] Write of size 8 at addr ffff888104fc6ea0 by task crash/78\n[   16.970038]\n[   16.970195] CPU: 0 PID: 78 Comm: crash Not tainted 5.15.0-rc2+ #1\n[   16.970878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n[   16.972026] Call Trace:\n[   16.972306]  dump_stack_lvl+0x34/0x44\n[   16.972687]  print_address_description.constprop.0+0x21/0x140\n[   16.973297]  ? pcpu_freelist_populate+0xd9/0x100\n[   16.973777]  ? pcpu_freelist_populate+0xd9/0x100\n[   16.974257]  kasan_report.cold+0x7f/0x11b\n[   16.974681]  ? pcpu_freelist_populate+0xd9/0x100\n[   16.975190]  pcpu_freelist_populate+0xd9/0x100\n[   16.975669]  stack_map_alloc+0x209/0x2a0\n[   16.976106]  __sys_bpf+0xd83/0x2ce0\n[...]\n\nThe possibility of this overflow was originally discussed in [0], but\nwas overlooked.\n\nFix the integer overflow by changing elem_size to u64 from u32.\n\n  [0] https://lore.kernel.org/bpf/728b238e-a481-eb50-98e9-b0f430ab01e7@gmail.com/\n\nFixes: 557c0c6e7df8 (\"bpf: convert stackmap to pre-allocation\")\nSigned-off-by: Tatsuhiko Yasumatsu \u003cth.yasumatsu@gmail.com\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nLink: https://lore.kernel.org/bpf/20210930135545.173698-1-th.yasumatsu@gmail.com\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n\nBUG\u003db/202643194\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixes CVE-2021-41864.\n\ncos-patch: security-moderate\nChange-Id: I86ee5883d876a048676cf0ae78ce7bd53843725d\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/24070\nReviewed-by: Oleksandr Tymoshenko \u003covt@google.com\u003e\nReviewed-by: Vaibhav Rustagi \u003cvaibhavrustagi@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "fba2ade28fb3a264987745366119ff710b216035",
      "old_mode": 33188,
      "old_path": "kernel/bpf/stackmap.c",
      "new_id": "49c7a09d688d7a51a8fb8bff425866e20386e7ef",
      "new_mode": 33188,
      "new_path": "kernel/bpf/stackmap.c"
    }
  ]
}